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METHOD AND APPARATUS FOR FINITE FIELD BASIS CONVERSION 



The present invention relates to cryptographic systems and more particularly, to 
the conversion of elements in a finite field having one basis to elements of a finite field 
having another basis and wherein the elements are used in a cryptographic operation. 

BACKGROUND OF THE INVENTION 

Cryptographic operations are generally implemented on elements in a finite field. 
Various finite fields are of interest to cryptographers for example, the multiplicative 
groups of prime fields F(p), the multiplicative group of finite fields of characteristic two, 
F(2 n ) and elliptic curve groups over finite fields, E(F P ) or E(F r ) . The elements in a 

given finite field are represented in terms of a basis for the finite field. The bases are also 
elements of the finite field. 

Certain efficiencies may be realized in cryptographic operations by choosing a 
particular set of bases for that finite field. For example, in the finite field F(T), two 
common choices of bases of the polynomial basis and a normal basis. A problem arises 
though in the choice of basis since communication between the two parties, although using 
the same cryptographic scheme but having different bases elements, requires the parties to 
perform a basis conversion operation on the field elements in order to obtain the same 
cryptographic result. 

In general, if we let F(q n ) be a finite field, where q is a prime or a prime power, the 
degree of the field is n and its order is q n , A basis for the finite field is a set of n elements 
bo , bi,...bn-i e F(q n ) such that every element A of the finite field can be represented 
uniquely as a linear combination of basis elements: 



where the a,- e F(q) are the coefficients. Arithmetic operations are then performed on this 
ordered set of coefficients. 
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It may be seen then generally that by using a different basis, a different ordered set 
of coefficients is used. 

Various techniques have been implemented to convert between two choices of 
basis for a finite field. A conventional approach involves using a matrix multiplication, 
wherein basis conversion is performed using a change of basis matrix m, resulting in a 
matrix of size m 2 . If m is typically 160 bits, then this occupies significant storage in 
devices such as a smart card. General finite field techniques are described in the 
"Handbook of Applied Cryptography", CRC Press, 1996 by S.A. Vanstone et al and 
incorporated herein by reference. Other techniques for basis conversion are described in 
United States Patent No. 5,854,759 to Kaliski et al, also incorporated herein by reference. 

SUMMARY OF THE INVENTION 

The present invention seeks to provide a method and apparatus for basis 
conversion, that is generally efficient in terms of memory and computation time and is 
particularly adapted for use with smart cards and other low power cryptographic tokens. 

In accordance with this invention, there is provided a method for basis conversion, 
the method comprising the steps of a first correspondent transmitting an element 
represented in a first basis to an intermediate processor; the intermediate processor 
converting the element into a second basis representation; forwarding said converted 
element to the first correspondent; and the first correspondent operating on the converted 
element in a cryptographic operation. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will 
become more apparent in the following detailed description in which reference is made to 
the appended drawings wherein: 

Figure 1 is a schematic diagram of an embodiment of a basis conversion system in 
accordance with the present invention; 

Figure 2 is a schematic diagram of a further embodiment of a basis conversion 
system in accordance with the present invention; and 

Figure 3 is a flow diagram illustrating a key exchange scheme in accordance with 
an embodiment of the invention. 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In a first embodiment, shown in Figure 1 a pair of correspondents are represented 
by A and B and an intermediate processor, such as a server, certifying authority or other 
helper processor, is represented by H. It is assumed the correspondents A and B include 
processors for performing cryptographic operations and the like that may be implemented 
in hardware or in software operated on a general purpose computer. In this case the 
software may be encoded as a data carrier such as a CD ROM or computer disk for 
loading on to the computer. Specifically, A and B perform cryptographic operations n a 
basis pi and fh , respectively. It is further assumed that the respective cryptographic 
parameters are contained within the entities A and B. For example in an elliptic curve 
scheme the system parameters include at least a point P on the elliptic curve, the order of 
the curve and the parameters of the elliptic curve equation E. 

In this embodiment, each of the entities A and B generates a respective random 
value ki, generally the private session key and each computes a public value up, 
represented in terms of their respective bases J3j and fa One of the entities, A for 
example, transmits its public key kP§\ to the server H. The server H performs a basis 
conversion utilizing one of many basis conversion algorithms to convert the public key 
APpj represented in basis to a public key kP$ 2 represented in terms of the basis fa The 
converted key is transmitted back to the correspondent A. The correspondent A then 
computes signature s = k'^hOn) + dr), where r = &P p2 . The signature s and r are then 
transmitted to the other correspondent B, which is then processed by B in the basis fa 
Similarly if correspondent B wishes to communicate with A it also transmits its public key 
kPp 2 to the server, which performs the conversion on the key and sends it back to the 
correspondent B. The correspondent B also computes a signature using r = kP$]. 

In this embodiment, a helper or an intermediate processor is utilized to perform the 
basis conversion, thereby allowing relatively low power computing devices A and B to 
correspond, such as smart cards. Furthermore the cryptographic scheme is not 
compromised since the public key may be transmitted in the clear, without requiring a 
secure communication path between the correspondent and the server. 

Referring to figure 2, in a second embodiment each of the correspondents A and B 
have a respective public key aP represented in terms of basis /?; and bP represented in 
terms of basis fa The first correspondent A transmits its public key aP to the server H 
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which performs the basis conversion on the element to a representation basis pi and 
transmits this key aPfi 2 to the second correspondent B. The second correspondent B 
also transmits its public key bP J3 2 to the server where a basis conversion is performed on 
the key to the basis fij of the first correspondent. The key bP$\ is forwarded to the first 
correspondent A. Each of the correspondents then compute a common key by combining 
its private key with the other correspondents received public key. Thus, A computes 
abP$] and B computes baP^ 

The correspondents have now performed a key exchange, each having a shared 
key, although represented in a different basis and only one of the correspondents need 
perform a basis conversion. The common keys may then be used in a conventional 
manner in subsequent steps of the encryption scheme. 

In a third embodiment, again it is assumed that the correspondents A and B operate 
in bases pi and p2 respectively. The bases pi and p2 may represent any basis. 
Furthermore, we define a field element a such that correspondent A represents the element 
a in terms of the basis pi and correspondent B represents the field element a in terms of 
basis p2. The correspondents make use of a bit string that is a function of a sequence of 
traces of the field element as a shared secret to perform the certain cryptographic 
operations. 

In this embodiment if we let p be a prime and let q =p m , where m >1 . Let F q be the 
finite field having q elements and Fq n , the n-dimensional extension. The cyclic group G 
of Fq n over Fq is generated by the mapping a(a) = a\ae Fq n 9 and is of order n. We 
may then define the trace function of Fq n over F q as 



For brevity, the trace function is simply represented as Tr. The traces Tr(CKpi) and 

Tr((Xp 2 ), have the property that the trace of an element <x represented in terms of a basis pi 
is the same as the trace of the element a represented in terms of basis p2. 

If a key of length n = 128 bits is to be constructed, then the traces of odd powers of 

a are taken. The traces, namely Tr(a), Tr( a 3 ), . . .Tr(a 257 ), are either 0 or 1. Since the 
trace is independent of the representation and it does not matter, which one of the entities 
performs the trace. As an aside it may be noted that we could also use the trace 
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Tr(fi(a)). . .Tr(f k (a)) that is the trace of F(2 n ) maps to the elements [0,1] or F(2). 

Therefore, £ maps F (2 n ) to F (2). In general, any invariant function may be utilized for 
the trace. 

In general if F(q n ) is the finite field and F(q) is the ground field over which it is 
defined, the elements of the finite field can be represented in a number of ways depending 
on the choice of basis. Two common types of basis are polynomial basis and normal 
basis. If pi is a polynomial basis, then the basis elements may be represented as 1, p, 
p 2 , . . . p"" 1 , where p is a root or generator. Assuming the function f(x) = 0 and f(x) is an 
irreducible of degree n i.e irreducible over the ground field, then, if a field element is 
given by a = ao + aj p 1 . . . + a n .i p"* 1 , the trace is given by 

Tr(a) = ao + a,Tr(P) + a 2 Tr(p 2 ) . . . + a n ., TrCp 0 ' 1 ). 

It may be observed that the trace is linear and if the irreducible f(x) has the form 

x n + g(x) where the degree of g(x) is k, then 

Tr(p j ) = 0forj = l,2 ...n-k-1. 
If the irreducible polynomial is given by 

x n + an-ix"* 1 + a n . 2 x n " 2 ..., + ai 
and if a n .i = 0 then Tr(p) = 0, and a n -i = 0 and a n _ 2 = 0 then Tr(p 2 ) = 0. The observation is 
that if consecutive coefficients of the field element a are zero then the trace of that number 
of terms is zero. 

Thus, the trace bit string may be used as a shared secret to perform the remaining 
cryptographic operations. In deciding upon a key, the users (correspondents) normally 
select a bit string that is a function of a sequence of traces of a selected field element. For 
example if a bit string (key) of length 3 is desired, the trace of a, a 3 , a 2 could be used. The 
order of the sequence of traces may on occasion be arbitrarily chosen but known to the 
correspondents. The following examples more clearly illustrate the derivation of a key. 

Examplel : In this example the trace of a and a 3 is used to create a binary key of 
length 2. 

Basis 1 : The irreducible chosen is f(x) = x 3 + x+ l=0;x 3 = x+ l 
Element a in this basis is a = (1 + x 2 ) then the key = (Tr(a), Tr(a 3 )) 
Tr(l) = 1 + 1 2 + 1 4 = 1; (x 4 = x 2 + x) 
Tr(x) = x + x 2 + x 4 

= x-Kx 2 + x 2 + x = 0 
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Tr(x 2 ) =x 2 + x 4 + x 8 

= x 2 + (x 2 + x) + (x 2 + x) 2 

= x + (x 2 + x) + x 2 = 0 
Tr(a) = Tr(l+x 2 ) = Tr(l) + Tr(x 2 ) = 1+0 = 1 
a = a.a 2 = (1 + x 2 )(l+x 2 ) 2 = (1 + x 2 )(l + x 4 ) 



Tr(a 3 ) = Tr(x 2 ) + Tr(x) = 0 + 0 = 0 
Thus the key = (1,0) 

Example 2:In this example a different basis is used (basis 2) and a is converted to 
its representation in this basis by (1) finding a root r for the polynomial for basis 1 in the 
representation generated by basis 2, and (2) then evaluating the polynomial representing a 
in basis 1 at r. The traces of a and a 3 are calculated in basis 2 to generate the same binary 
key as was created in basis 1 above. 

Basis 2: The irreducible chosen is g(y) = y 3 + y 2 + 1 ; y 3 = y 2 + 1 

To find a in basis 2, find a root of f(x) = x 3 + x + 1 (the irreducible in basis 1) in 



Note: (y+1) 3 + (y+1) + l= y 3 + y 2 + y+ l +y+l+l=0+y+l+y+l=0 
Let r = y + 1, then cc = l+x 2 ->a' = l+ r 2 = l+(y +1) 2 = 1 + y 2 + 1 = y 2 
Key = (Tr(a'), Tr(a*) 3 ); y 4 = y 3 + y = y 2 + y +1 
Tr(l) =1 + 1 + 1 

Tr(y) =y + y 2 + y 4 = y + y 2 + y 2 + y + 1 = 1 
Tr(y2) = y 2 + y 4 + y 8 = y 2 + y 2 + y + 1 + (y 2 + y + l) 2 

= y + 1 + y 4 + y 2 +1 

= y 4 + y 2 + y 

= y 2 + y+ l+ y 2 + y= l 
Tr(a') = T^y 2 ) = 1 

(a') 3 = y6 = (y 3 ) 2 = (y 2 + l) 2 = y 4 + 1 =y 2 + y+ 1 + 1 =y 2 + y 
Tr((af)=Tr(y 2 + y) = Tr(y 2 ) + Tr(y) = l + 1=0 



= (l+x 2 )(l +x + x 2 ) 
= 1 + x + x 2 + x 2 + x 3 + x 4 
= l+x + x 3 +x 4 
= 0 + x 2 + x 

= x 2 + x 



basis 2. 
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Thus the key = (1,0) as in basis 1. 

Referring to figure 3, a key agreement scheme shows the correspondents A and B 
operating in bases pi and 02 respectively. The bases pi and p2 may represent any basis. 
Furthermore A and B each have the following system parameters, a long term private key 
d and a long-term public key Q A = d a P and Q B = dj?, where P is a point on an elliptic 
curve represented in terms of the respective bases. The correspondent A represents P in 
terms of the basis pi and correspondent B represents P in terms of basis p2. In a typical 
Diffie-Hellman key agreement scheme, each of the correspondents A and B generate 
respective ephemeral private keys k A and k B and compute a corresponding short term 
(session) public keys k A Ppi and k B Pp 2 . A and B exchange their respective public keys, and 
convert them to their own basis. If the correspondents are low power devices, such as 
smart cards or the like, then basis conversion may be performed by an intermediate 
processor such as described with reference to figures 1 and 2. Alternatively, if the 
correspondents have sufficient compiling power, then basis conversion may be performed 
by the correspondents themselves, according to one of many basis conversion methods. In 
any event, after the basis conversion, correspondent A has B's public key (k B P$2) pi and B 
has A's public key (k A P$\) p2- A shared secret is computed in their respective basis by 
computing k A (^p2) pi^otpi and k B (k A P$\) p2=otp 2 . Each of the correspondents takes a 
sequence of traces of their respective field element a to derive a common bit string. 

Applying the method to a signature scheme, the correspondent A generates its 
ephemeral public session key kP$\ . A trace sequence may be constructed, for example, of 
the x-coordinate of APpi producing a bit string T. The bit string is passed through a hash 
function g to derive a signature component r. A second signature component 
s = k~ x (m + dr) is computed, where d is A's long term private key. The signature 
components are transmitted to B for verification. The verifier B computes 
E'ms" 1 Pp 2 +rs _1 Q^ p 2 = kP$ 2 where Q A p 2 is the long term public key of A in basis 2. This 
basis conversion could be performed by A using an intermediate H as described earlier. B 
then generates a sequence on the computed value kP$ 2 , and applies the hash function g to 
derive a value r\ If r f =r, then the signature is verified. 

Although the invention has been described with reference to certain specific 
embodiments, various modifications thereof will be apparent to those skilled in the art 
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without departing from the spirit and scope of the invention as outlined in the claims 
appended hereto. 
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